feat: [[trusted]] config + FederationHello for one-sided federation

- Added [[trusted]] config: relay B can accept inbound federation
  from relay A by fingerprint alone, without knowing A's address.
  A connects to B with [[peers]], B trusts A with [[trusted]].

- FederationHello signal: outbound connections send their TLS
  fingerprint as first signal. The accepting relay verifies it
  against [[peers]] (by IP) or [[trusted]] (by fingerprint).

- Tested 3-relay chain: A→B←C. Both A and C connect to B, B trusts
  both. B correctly accepts both inbound connections. Room
  announcements flow A→B and C→B.

- Remaining: B needs to announce rooms back to A and C on the same
  connection so media can flow A→B→C. Currently A has no virtual
  participant for B, so media doesn't reach B's SFU for forwarding.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

crates/wzp-client/src/featherchat.rs

@@ -110,7 +110,8 @@ pub fn signal_to_call_type(signal: &SignalMessage) -> CallSignalType {
         SignalMessage::SessionForward { .. } => CallSignalType::Offer, // reuse
         SignalMessage::SessionForwardAck { .. } => CallSignalType::Offer, // reuse
         SignalMessage::RoomUpdate { .. } => CallSignalType::Offer, // reuse
-        SignalMessage::FederationRoomJoin { .. }
+        SignalMessage::FederationHello { .. }
+        | SignalMessage::FederationRoomJoin { .. }
         | SignalMessage::FederationRoomLeave { .. }
         | SignalMessage::FederationParticipantUpdate { .. } => CallSignalType::Offer, // relay-only
     }